EPIM enail privacy risk.

General talks about EssentialPIM

Moderators: TerryRogers, Max

SilverSound
Expert
Posts: 73
Joined: Tue Jun 09, 2020 6:46 am
Been thanked: 4 times

Re: EPIM enail privacy risk.

Post by SilverSound »

admin wrote: Mon Jul 06, 2020 8:06 pm We use IE's rendering engine. When you open an email it renders out HTML, what it also does in the background, we have no control over. Although one thing is certain - it's not trying to load images when such option is enabled.
As IE is no longer a secure engine you should either be using some kind of email sterilizer to strip out all content that is not sterilized CSS, an image or plain text or you should change your rendering engine to something that is maintained and secure, which would probably be a wise move for future proofing as it is likely only a matter of time until Microsoft dose something that will radically effect programs that rely on IE under windows 10.

All that said that makes the topic of this thread very accurate and raises a big red flag. EPIM email is a privacy risk until it is using a method that is safe and not allowing "mysterious" embedded connections to the internet" in the background.
TumbleDoor
Guru
Posts: 138
Joined: Tue Jun 21, 2016 7:19 am
Been thanked: 15 times

Re: EPIM enail privacy risk.

Post by TumbleDoor »

admin wrote: Mon Jul 06, 2020 8:06 pm We use IE's rendering engine. When you open an email it renders out HTML, what it also does in the background, we have no control over. Although one thing is certain - it's not trying to load images when such option is enabled.
Well that is frighting as all get out... I may need to actually move the company away from EPIM for email until this is addressed properly. When it was just images that was one thing, but if emails are allowed to be doing who knows what fishy things in the background that's just out right scary.

IMO Emails shouldn't be allowed to be doing anything online other than fetching images.
admin
Site Admin
Posts: 15603
Joined: Thu Nov 25, 2004 3:12 am
Has thanked: 1412 times
Been thanked: 984 times

Re: EPIM enail privacy risk.

Post by admin »

In this case you'd need to stop using Windows and any other OS (Linux included) as this issue is on an OS level, see here, for instance (there's much more if you google it):
https://community.norton.com/en/forums/ ... iescom-why
Android version of EssentialPIM. Keep all your data in sync!
TumbleDoor
Guru
Posts: 138
Joined: Tue Jun 21, 2016 7:19 am
Been thanked: 15 times

Re: EPIM enail privacy risk.

Post by TumbleDoor »

admin wrote: Mon Jul 06, 2020 9:42 pm In this case you'd need to stop using Windows and any other OS (Linux included) as this issue is on an OS level, see here, for instance (there's much more if you google it):
https://community.norton.com/en/forums/ ... iescom-why

Content delivery networks are not the issue here. Many fine and dandy things use Akamai's networks.

Just because I will let Microsoft connect to things hosted on a content delivery network does not mean I am willing to let every tom, dick, and harry who sends me an email do the same.

If this was an IE thing that happened for every email as made by Microsoft it would be an OS issue. HOWEVER it is clear that this is something being exploited by specific emails and therefore not an issue in the OS, but the rendering engine being exploited. Which is of no surprise if it is IE as it is no longer properly supported by Microsoft.

In the time I posted my last comment and this one I downloaded the bat and and process monitor setup an email account and tested it against EPIM and these connections only happen on some emails in EPIM and none of the same emails in the bat.
a8907433
Guru
Posts: 1047
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 170 times

Re: EPIM enail privacy risk.

Post by a8907433 »

This made me worried too, that EPIM is dependend on IE. But, I deinstalled IE a long time ago (I know, to deinstall IE is not possible, but somehow I succeded- I can´t find any remains or start the IE, my system simply don´t know IE), but I know, the really important parts of IE are still there, otherwise some programs dependent on IE would not work.
But I use an commercial Adblocker - AdFender- which promises to block not only ads but other privacy risks for browsers, including IE. I´m no developer, but I really hope Astonsoft is knowing what it is doing....... so EPIM is safe and no privacy risk.
MetalDrop
Guru
Posts: 866
Joined: Sat Apr 09, 2016 10:19 pm
Been thanked: 189 times

Re: EPIM enail privacy risk.

Post by MetalDrop »

a8907433 wrote: Tue Jul 07, 2020 4:57 am This made me worried too, that EPIM is dependend on IE. But, I deinstalled IE a long time ago (I know, to deinstall IE is not possible, but somehow I succeded- I can´t find any remains or start the IE, my system simply don´t know IE), but I know, the really important parts of IE are still there, otherwise some programs dependent on IE would not work.
But I use an commercial Adblocker - AdFender- which promises to block not only ads but other privacy risks for browsers, including IE. I´m no developer, but I really hope Astonsoft is knowing what it is doing....... so EPIM is safe and no privacy risk.
It's actually pretty easy to uninstall the user interface for IE however it's engine which is where the worst vulnerabilities exist can not easily be removed and if you do all programs that use it will stop working properly as you suspected.

There are few doubts that rendering unfiltered content in IEs engine is dangerous. IE has numerous well documented security flaws and the security chief at Microsoft is even on record warning people and developers that IE is not a browser it is a "compatibility solution" and warns that using it out of that context is putting people in peril.

Even your protection system isn't a good fix for many IE security issues potentially related to EPIM as it is proxy based and many IE email attacks often use embedded attacks which would bypass your local proxy because it only filters HTTP(S) and your email is coming in on POP or IMAP which is not being filtered by the proxy.
EPIM Portable Pro Running/Tested On: Windows 11 Pro 64-bit US-ENG|i5-6400+Quadro P620|i7-7700K+1050ti|i7-8700K+970GTX|AMD 5600x+1080ti|16GB+RAM&NVMe SSDs
[I'm helpful and often reply to questions, however I am just a fellow user and not staff.]
a8907433
Guru
Posts: 1047
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 170 times

Re: EPIM enail privacy risk.

Post by a8907433 »

But what would be the alternative? I have so many data in EPIM...
MetalDrop
Guru
Posts: 866
Joined: Sat Apr 09, 2016 10:19 pm
Been thanked: 189 times

Re: EPIM enail privacy risk.

Post by MetalDrop »

a8907433 wrote: Tue Jul 07, 2020 6:47 pm But what would be the alternative? I have so many data in EPIM...
This really only affects emails. I personally have no intention of moving away wholly from EPIM because email is only a small part of what I use EPIM for.

That said since I started researching this when it was brought up several months ago elsewhere I have mostly though not entirely moved away from using EPIM for email for the time being.

If you mean alternatives for email until EPIM gets it's rendering engine changed or finds another good fix figured out about any other major client I tested didn't have this issue because they use safer rendering engines. The Bat as mentioned above is a great client for security and probably one of the best you can buy.

If you mean security system to protect you... a real time active memory protection suit *could offer decent protection, but even then it's not guaranteed because IE is just not a tool that should be being used to view external resources as it is an outdated technology fewer and fewer protection software vendors are paying attention to because it just shouldn't be being used.

You can really think of IE like Talnet, Yes it is still in windows and probably will be for a long time because it's needed for old unsupported software to work and Microsoft unlike Apple doesn't always just tell us to go suck a lemon. They give us the option to do really dangerous things if we have a good reason to.
EPIM Portable Pro Running/Tested On: Windows 11 Pro 64-bit US-ENG|i5-6400+Quadro P620|i7-7700K+1050ti|i7-8700K+970GTX|AMD 5600x+1080ti|16GB+RAM&NVMe SSDs
[I'm helpful and often reply to questions, however I am just a fellow user and not staff.]
admin
Site Admin
Posts: 15603
Joined: Thu Nov 25, 2004 3:12 am
Has thanked: 1412 times
Been thanked: 984 times

Re: EPIM enail privacy risk.

Post by admin »

I see Bat uses Chromium engine for rendering HTML, will examine this opportunity and if all is ok, schedule it for inclusion into the next major EPIM update.
Android version of EssentialPIM. Keep all your data in sync!
a8907433
Guru
Posts: 1047
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 170 times

Re: EPIM enail privacy risk.

Post by a8907433 »

Thank you for your opinion!
I know, it only affects email. And I know (and used) The Bat too. But than they started even to use in the portable version to be bound to hardware in their license system- since this point I abandoned The Bat. I tried many others..... but only Thunderbird remained for many many years now. But, in comparison to EPIM, it is huge and has no encryption built in, therefore I wanted to stay with EPIM. And, because than ALL data (notes, passwords, calendar and email) are in one database. So, I don´t know, I´m undecided what to do....
Perhaps Astonsoft can Explain in detail the risks, using IE for email, and what they could do to solve this....
a8907433
Guru
Posts: 1047
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 170 times

Re: EPIM enail privacy risk.

Post by a8907433 »

Sorry, my I wrote my post, before I saw the last post of admin!
hyzhangzhy
Posts: 2
Joined: Sat Dec 15, 2018 4:40 pm

Re: EPIM enail privacy risk.

Post by hyzhangzhy »

admin wrote: Tue Jul 07, 2020 8:18 pm I see Bat uses Chromium engine for rendering HTML, will examine this opportunity and if all is ok, schedule it for inclusion into the next major EPIM update.
+1 for the this, security is really very important!

And I can imagine this is a hard job. May you succeed! :D
admin
Site Admin
Posts: 15603
Joined: Thu Nov 25, 2004 3:12 am
Has thanked: 1412 times
Been thanked: 984 times

Re: EPIM enail privacy risk.

Post by admin »

Thank you, I'm sure we will :)
Android version of EssentialPIM. Keep all your data in sync!
a8907433
Guru
Posts: 1047
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 170 times

Re: EPIM enail privacy risk.

Post by a8907433 »

That is good news! What period of time we we are talking of until this will realized? half a year, more than a year....? What about portability and size? Chromium is much bigger than EPIM! Is Chromium independent from Google? Nevertheless, I love EPIM, Thank you!
TumbleDoor
Guru
Posts: 138
Joined: Tue Jun 21, 2016 7:19 am
Been thanked: 15 times

Re: EPIM enail privacy risk.

Post by TumbleDoor »

a8907433 wrote: Sun Jul 12, 2020 6:41 pm That is good news! What period of time we we are talking of until this will realized? half a year, more than a year....? What about portability and size? Chromium is much bigger than EPIM! Is Chromium independent from Google? Nevertheless, I love EPIM, Thank you!
Chromium is an open source web browser who's biggest contributor is Google.
Chrome is that source code of that project compiled with Googles black box code.

Web browsers are not engines.
IE = Trident
Chrome = Webkit->Blink
Opera Pre-buyout = Presto After buyout = Webkit->Blink
Safari = Webkit
FIrefox = Gekco [modern firefox still calls their engine Gekco but it is very different than the classic Geko that was forked to make Goanna]
Palemoon = Goanna a fork of Classic Gekco

https://en.wikipedia.org/wiki/Compariso ... er_engines

History wise KHTML is what was forked to make Webkit which was then forked to make Blink

There are also many smaller custom engines that do very limited things such as only rendering CSS and HTML and not supporting Javascript...etc.

Thunderbird = based on firefox
Current day outlook = based on EDGE/BLINK

The bat recently updated their Email client to use their own custom engine so that it only renders HTML and CSS thus making it more secure by not even having script functionality to exploit. A lot of older email clients also used their own custom engines as well, as HTML and CSS are the only things that should be in Emails and building your own rendering engine for them is a relatively simple task given the libraries available. Script support is what makes most web browsers big, heavy, complex, and prone to security issues.

Anyway digressing if they use Blink then they will probably use a framework for it to make the job easier and faster. EPIM with no data is around 40~ish MB now, most Blink Frameworks are around 100~140MB which will probably mean EPIMs install size will grow to 140~180MB-ish.

By most storage standards or compared to other programs of the same type below 200MB is pretty small and very easily portable. It's been many years since I've owned a USB key smaller than 2GB
Post Reply